Mise en place d’un certificat Let’s Encrypt pour Zimbra 8.8.9 |
Article original Publié le : 11 août 2018
Mise a jour le : 30 novembre 2019 |
Suite a la mise a jour de mon serveur et au renouvellement du certificat, je mets a jour la procédure moins confuse que la précédente.
/!\ Petit rappel, pour générer un certificat avec Let’s Encrypt, il faut que le port 443 soit ouvert et non utilisé.
Se connecter en user zimbra puis stopper le service proxy
1 |
# su - zimbra |
1 |
$ zmproxyctl stop |
Revenir sur son user ou root puis générer le certificat
1 |
# ./opt/letsencrypt/letsencrypt-auto certonly --standalone -d nom_du_serveur_mail |
Pour validation, cela renverra
1 2 3 4 5 6 7 8 9 10 11 12 13 |
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/nom_du_serveur_mail/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/nom_du_serveur_mail/privkey.pem Your cert will expire on 2018-11-09. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
Créer le root-ca
1 |
# vim /tmp/root-ca.pem |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- |
Copier les fichiers générés par Let’s Encrypt dans /tmp, puis créer la chaîne de certification.
1 |
# cp /etc/letsencrypt/live/nom_du_serveur_mail/* /tmp |
1 |
# cd /tmp |
1 |
# cat chain.pem root-ca.pem > chain-root-ca.pem |
Sauvegarder le précédent certificat, renommer les fichiers,copier le nouveau certificat et mettre les droits.
1 |
# cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") |
1 |
# mv cert.pem commercial.crt |
1 |
# mv chain-root-ca.pem chain.txt |
1 |
# cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key |
1 |
# chown zimbra.zimbra /tmp/*.crt |
1 |
# chmod 666 /tmp/*.crt |
Puis se reconnecter avec le user Zimbra et finaliser le déploiement du certificat et redémarrer les services.
1 |
$ su - zimbra |
1 |
$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt |
1 |
$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt |
1 |
$ zmcontrol restart |
Pour vérifier le certificat
1 |
# /opt/zimbra/bin/zmcertmgr viewdeployedcrt |
1 2 3 4 5 6 7 8 9 |
SubjectAltName=nom_du_serveur_mail - imapd: /opt/zimbra/conf/imapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=nom_du_serveur_mail - ldap: /opt/zimbra/conf/slapd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=nom_du_serveur_mail - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=nom_du_serveur_mail - mta: /opt/zimbra/conf/smtpd.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=nom_du_serveur_mail - proxy: /opt/zimbra/conf/nginx.crt notBefore=Aug 11 10:56:44 2018 GMT notAfter=Nov 9 10:56:44 2018 GMT subject= /CN=<strong>nom_du_serveur_mail</strong> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 |
22/06/2019 : Ajout d’un petit script qui regroupe toute les commandes.
Pré-requis: Avoir le root-ca en local et verifier le chemin du repertoire let’s encrypt.
1 |
# ./renew_cert_zimbra.sh |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
#!/bin/bash su zimbra /opt/zimbra/bin/zmproxyctl stop /opt/letsencrypt/certbot-auto certonly cp /root/root-ca.pem /tmp cp /etc/letsencrypt/live/server-mail.domaine.tld/* /tmp cd /tmp cat chain.pem root-ca.pem > chain-root-ca.pem cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") mv cert.pem commercial.crt mv chain-root-ca.pem chain.txt cp /tmp/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key chown zimbra.zimbra /tmp/*.crt chmod 666 /tmp/*.crt su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/chain.txt" su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/chain.txt" su - zimbra -c "/opt/zimbra/bin/zmcontrol restart" su - zimbra -c "/opt/zimbra/bin/zmcertmgr viewdeployedcrt" echo "" echo "Verification de la date du certificat" echo "" echo | openssl s_client -servername server-mail.domaine.tld -connect server-mail.domaine.tld:443 2>/dev/null | openssl x509 -noout -dates |
A l’execution:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 |
Stopping proxy...done. Saving debug log to /var/log/letsencrypt/letsencrypt.log You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/server-mail.domaine.tld.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Keep the existing certificate for now 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Renewing an existing certificate IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/server-mail.domaine.tld/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/server-mail.domaine.tld/privkey.pem Your cert will expire on 2019-09-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le ** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt' Valid certificate chain: /tmp/commercial.crt: OK ** Verifying '/tmp/commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key' Certificate '/tmp/commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match. ** Verifying '/tmp/commercial.crt' against '/tmp/chain.txt' Valid certificate chain: /tmp/commercial.crt: OK ** Copying '/tmp/commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Copying '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' ** Appending ca chain '/tmp/chain.txt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' ** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/lib/security/cacerts' ** NOTE: restart mailboxd to use the imported certificate. ** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer server-mail.domaine.tld...ok ** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer server-mail.domaine.tld...ok ** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/conf/imapd.keystore' ** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key' ** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12' ** Creating keystore '/opt/zimbra/mailboxd/etc/keystore' ** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key' ** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt' ** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key' ** NOTE: restart services to use the new certificates. ** Cleaning up 7 files from '/opt/zimbra/conf/ca' ** Removing /opt/zimbra/conf/ca/ca.key ** Removing /opt/zimbra/conf/ca/ca.pem ** Removing /opt/zimbra/conf/ca/c1d601f8.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_1.crt ** Removing /opt/zimbra/conf/ca/4f06f81d.0 ** Removing /opt/zimbra/conf/ca/commercial_ca_2.crt ** Removing /opt/zimbra/conf/ca/2e5ac55d.0 ** Copying CA to /opt/zimbra/conf/ca ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key' ** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem' ** Creating CA hash symlink 'c1d601f8.0' -> 'ca.pem' ** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt ** Creating CA hash symlink '4f06f81d.0' -> 'commercial_ca_1.crt' ** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt ** Creating CA hash symlink '2e5ac55d.0' -> 'commercial_ca_2.crt' Host server-mail.domaine.tld Stopping zmconfigd...Done. Stopping imapd...Done. Stopping zimlet webapp...Done. Stopping zimbraAdmin webapp...Done. Stopping zimbra webapp...Done. Stopping service webapp...Done. Stopping stats...Done. Stopping mta...Done. Stopping spell...Done. Stopping snmp...Done. Stopping cbpolicyd...Done. Stopping archiving...Done. Stopping opendkim...Done. Stopping amavis...Done. Stopping antivirus...Done. Stopping antispam...Done. Stopping proxy...Done. Stopping memcached...Done. Stopping mailbox...Done. Stopping logger...Done. Stopping dnscache...Done. Stopping ldap...Done. Host server-mail.domaine.tld Starting ldap...Done. Starting zmconfigd...Done. Starting dnscache...Done. Starting logger...Done. Starting mailbox...Done. Starting memcached...Done. Starting proxy...Done. Starting amavis...Done. Starting antispam...Done. Starting antivirus...Done. Starting opendkim...Done. Starting snmp...Done. Starting spell...Done. Starting mta...Done. Starting stats...Done. Starting service webapp...Done. Starting zimbra webapp...Done. Starting zimbraAdmin webapp...Done. Starting zimlet webapp...Done. Starting imapd...Done. - imapd: /opt/zimbra/conf/imapd.crt notBefore=Jun 21 20:56:08 2019 GMT notAfter=Sep 19 20:56:08 2019 GMT subject= /CN=server-mail.domaine.tld issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=server-mail.domaine.tld - ldap: /opt/zimbra/conf/slapd.crt notBefore=Jun 21 20:56:08 2019 GMT notAfter=Sep 19 20:56:08 2019 GMT subject= /CN=server-mail.domaine.tld issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=server-mail.domaine.tld - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem notBefore=Jun 21 20:56:08 2019 GMT notAfter=Sep 19 20:56:08 2019 GMT subject= /CN=server-mail.domaine.tld issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=server-mail.domaine.tld - mta: /opt/zimbra/conf/smtpd.crt notBefore=Jun 21 20:56:08 2019 GMT notAfter=Sep 19 20:56:08 2019 GMT subject= /CN=server-mail.domaine.tld issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=server-mail.domaine.tld - proxy: /opt/zimbra/conf/nginx.crt notBefore=Jun 21 20:56:08 2019 GMT notAfter=Sep 19 20:56:08 2019 GMT subject= /CN=server-mail.domaine.tld issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 SubjectAltName=server-mail.domaine.tld Verification de la date du certificat notBefore=Jun 21 20:56:08 2019 GMT notAfter=Sep 19 20:56:08 2019 GMT |
30/11/2019 : Suite au renouvellement du certificat est apparu une nouvelle option, il faut choisir standalone et entrer le fqdn complet.
Bonjour,
j’ai réussi à émettre mon certificat en copiant le root-ca que tu donnes dans ton article. Mais je voudrais savoir à quelle url tu récupères le ceretificat, celui que tu présentes n’allant qu’au 30 septembre 2021 :
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
notBefore=Sep 30 21:12:19 2000 GMT
notAfter=Sep 30 14:01:15 2021 GMT
On pourrait ainsi inclure dans le script le téléchargement du certificat ayant cours au moment du renouvellement.
Bonjour,
J’avais récupéré la root-ca chez Symantec qui a été racheté par Digicert cette année
l’url https://knowledge.digicert.com/solution/SO20541 qui renvoi vers le lien de la root-ca ne fonctionne pas
Download the Root CA certificate. Save Root CA certificate file (e.g. /tmp/ca.crt)
Oops, there is a problem The page you requested cannot be found. Search by entering one or more keywords in the search field above
Va falloir attendre qu’il mette a jour leur page :/
Bonjour,
Super boulot et merci pour ce partage dont je me suis inspiré.
Je suis également preneur du nouveau certificat a ajouter au certificat lets encrypt.
Si tu as cette info ca serais super.
Bonne journée..
Bonjour
Merci, malheureusement je n’ai plus de serveur Zimbra (Lobbying ms …)
Suite à l’expiration du certificat Let’s Encrypt hier voir peut être https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
Pour l’expiration de la root-ca il renvoie vers Comodo https://wiki.zimbra.com/wiki/Root_CA_certificate_has_expired
N’hésite pas à reposter si tu as ta solution
++